Shostack + Friends Blog Archive

 

Not Because It Is Easy, But Because We Can

Twelve barrels of the world’s most alcoholic whisky, or enough to wipe out a medium-size army, will be produced when the Bruichladdich distillery revives the ancient tradition of quadruple-distilling today. With an alcohol content of 92 per cent, the drink may not be the most delicate single malt ever produced but it is by far […]

 

Patents and Innovation

In responding to “New Products, Emerging from Chaos,” Albatross makes a good comment about how the RSA patent expiry didn’t lead to an immediate outpouring of new products. Albratross also mentions how transaction costs encourage people to look for new ways to solve a problem. Mordaxus says there has been an explosion in the use […]

 

On Computers and Irony

I’ve been saying for a while that destroying information has an ironic tendency: While it’s quite hard to really destroy data on a computer when you want to, (for example, “Hard-Disk Risk“) it’s quite easy to lose the data by accident. Similarly, while it’s quite hard to make code that runs and does what you […]

 

How Much Does A Firewall Reduce Your Risk?

In a recent post, “The Future Belongs To The Quants,” Chris suggests that risk mitigations must be quantifiable. My post “In The Future, Everyone Will Be Audited for 20 Years,” lists what the FTC is requiring for risk mitigation. It seems none of it is quantifiable. Chris?       (Incidentally, I think this iptables […]

 

Analysis of University of Texas, 4,000 encrypted SSNs, Laptop

There is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened: The private […]

 

Relentless Navel Gazing, Part 8

We made a few changes yesterday. There’s now a special archive page for the “Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars” series of posts. I’ve gotten more kudos for that series than anything else, so added a way for you to read them all in the order they were presented. […]

 

Security Breach Resources

I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful. The URL is http://www.cwalsh.org/BreachInfo/ […]

 

Dear Lazyweb

I’m looking for code that will parse the emails sent by online travel agencies and airlines. Ideally, it would be Python code that allows me invoke something like itinerary.get_next_flight(msg) and get a dictionary of (to, from, airline, flight #, date), etc. Does such a library exist?

 

Justice Department Weighs In On Google Subpoena

Surprise surprise, the Department of Justice doesn’t think that the Bush administration’s request for search data violates users’ privacy rights. [Edit: Fixed broken link] [Update: Try this link instead. ]

 

Leverage

Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.

 

"Illegal Political Activity"

Something is seriously wrong when the New York Times has an article “I.R.S. Finds Sharp Increase in Illegal Political Activity,” and fails to mention the free speech issues associated with the claptrap coming out of Congress: While pointing out the extent of the problem, the agency published more guidance for nonprofit organizations, including examples of […]

 

The future belongs to the quants

The title is of course stolen from Dan Geer. By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database. In dismissing the case with prejudice, the court took note of an […]

 

New Products, Emerging From Chaos

In a trenchant comment on “Secretly Admiring,” Victor Lighthill writes: Not to disrespect Ron Rivest or Credentica’s Stefan Brands, but patenting your ideas in crypto is, historically, a great way to ensure that it takes them 15 years to go from concept to use. While there may be important grains of truth in this, and […]

 

Subject: Attention! Several VISA Credit Card bases have been LOST!

You know breaches are reaching the public consciousness when spammers use them to make money. I got this in email yesterday, along with a URL that I don’t feel like linking. Banks would do really well to send less email with the words “click here,” and more saying “visit our site using a bookmark.” Good […]

 

More CFIUS fun

UAE running our ports? CFIUS is cool with that. Israeli ownership of an IDS company? Now hold on there, pardner. Hat tip to Richard Bejtlich.

 

"It fell off the truck. No, really."

Via news.com.au: BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck. The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, […]

 

40 Million Pounds Sterling Stolen from British Bank

As reported in The Australian, a group of co-ordinated criminals stole over 40 millions pounds in cash from a processing center. They did so, by the expedient process of dressing up as police officers and kidnapping the wife and child of one of the center’s managers. They then were escorted on site where they subdued […]

 

In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an […]

 

Ephemeral port security

By now, most have heard about Dubai Ports World, a foreign entity, assuming control of operations at various U.S. ports. The arguments around this transaction are predictable and uninteresting. One thing that is clear is that the Committee on Foreign Investment in the United States (CFIUS) is legally mandated to consider such deals. In fact, […]

 

Updating Windows Mobile Phones

Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile […]

 

Dan Kaminsky on Sony and Anti-Virus

Read “Learning from Sony: An External Perspective” on Dan’s blog: The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources […]

 

Secretly Admiring

Quick! Name the speaker: In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing […]

 

Metadata strike again!

Brian Krebs wrote about a botnet and the 733t d00d who ran one, nom de hack 0x80. Well, turns out the doctored on-line photo the Washington Post ran contained metadata identifying the gentleman’s rather small home town. Coupled with information in Krebs’ article concerning businesses near 0x80’s residence, identifying the young criminal would seem a […]

 

Book Review: The Stag Hunt and the Evolution of Social Structure

Brian Skyrms’ The Stag Hunt and the Evolution of Social Structure addresses a subject lying at the intersection of the social sciences, philosophy, and evolutionary biology — how it is possible for social structures to emerge among populations of selfishly-acting individuals. Using Rousseau’s example of a Stag Hunt, in which hunters face a decision between […]

 

Police report on Cheney shooting incident reveals license info

Yet another incident of ineffective redaction? Adam’s del.icio.us bookmarks alerted me to this blog entry, in which commenters describe the ease with which the drivers’ license numbers of witnesses to the VP’s recent hunting accident are revealed. If this stuff is worth blocking, it’s worth blocking properly.

 

True.com Sent 'Race-Customized' Valentines

How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how […]

 

Police Chiefs Gone Wild

Harold Hurtt has suggested that surveillance cameras be placed “in apartment complexes, downtown streets, shopping malls and even private homes”, according to this story in the Seattle Post Intelligencer. In response, I hereby found…. The Hurtt Prize The Hurtt Prize is a $1120 (and growing) reward for the first person who can provide definitive videotaped […]

 

Safari Users: Don't Open "Safe" files after downloading

Go to preferences, general, and un-select that box. From “Apple Safari Browser Automatically Executes Shell Scripts,” via SANS and Eric Rescorla. Don’t miss Peter da Silva’s comment on Eric’s post. Eric, how do you get such good comments?

 

The Leaf of Trust

One of the most interesting and controversial aspects of Phil Zimmerman’s PGP was that it avoided any central repositories of information, relying instead on what Phil labeled the “web of trust.” The idea was that Alice “trusts” Bob, and Bob “trusts” Charlie, there’s some transitive trust that you can establish.[1] (I’m going to stop putting […]

 

Branded Security

For quite some time, Ian Grigg has been calling for security branding for certificate authorities. When making a reservation for a Joie de Vivre hotel, I got the attached Javascript pop-up. (You reach it before the providing a credit card number.) I am FORCED to ask, HOWEVER , what the average consumer is supposed to […]

 

CPNI Public Comment

The FCC has asked for comments on “TELECOMMUNICATIONS CARRIER’S USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION.” “Customer Proprietary Network Information” is newspeak for “selling your phone records.” Several anonymous readers commented on “Selling Your Phone Records” about their troubles with T-Mobile. Here’s a chance to tell the FCC what you went through. […]

 

The World's Greatest Rock and Roll Band?

Ok, so the Stones are playing, free, in Rio. I figure the crowd will be big. Maybe huge. Apparently not a record-breaker, though: Saturday’s crowd may not be as big as that at Rod Stewart’s 1994 concert, also at Copacabana beach, which drew a crowd of 3.5 million. Rod Stewart?

 

Salesman uses credit application to stalk and rape customer

Police say a convicted murderer used his job as a car salesman in Sandy to track a female customer to her home and rape her. Cleon Jones, 34, was arrested Wednesday on multiple first-degree felonies and remains in the Salt Lake County Jail without bail. Authorities allege Jones tracked down his victim by using her […]

 

University of Northern Iowa, 6000 W-2 forms, virus-infected laptop

An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during “routine monitoring”. Via wcfCourier.com: The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed […]

 

Custom Shirts

Get your custom shirts with font size controlled by word frequency. It’s shirts-2.0, now available from Snapshirts. Cool.

 

John Robb on the Next Attack

John Robb has some very interesting thoughts on the next major al Qaeda attack on the United States in “The Next Attacks on America:” The impact of these attacks, particularly if they are numerous (attracting copycats?) and spread out over an extended period of time will be severe. Given their lack of symbolic content (and […]

 

Old Dominion, 601 SSNs, Grad Student's Dismal Process

In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. (“ODU Graduate Student Posts Student Information on Website, School Investigating,” via Netsec.) Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don’t add up. There’s a story in […]

 

Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth. OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333. Via F-Secure. I feel weird linking […]

 

Dept of Agriculture, 350,000 Tobacco Farmers, Dismal Process

The Agriculture Department says it accidentally released Social Security numbers and tax IDs for 350,000 tobacco farmers. But the department says those who received the information agreed to destroy copies and return discs to the government. The agency said it inadvertently released the data in response to Freedom of Information Act requests about the tobacco […]

 

Blue Cross of Florida, 27,000 employee SSNs, Contractor

The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday. The contractor had access to a database of identification badge information and transferred it […]

 

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits: 6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder 6b) If your uid != 0 […]

 

Suffolk County, NY, 7,000+ SSNs, Dismal Process Failures

The Suffolk county [New York] clerk’s office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don’t have a way to remove them. And soon, a new plan will make it easier to retrieve them. Mortgages and deeds that contain Social Security numbers for an estimated […]

 

Thank You, Choicepoint

It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story: Last week, the company notified […]

 
 

Risk aggregation and the living dead

Light blue touchpaper is a new web log written by researchers in the Security Group at the University of Cambridge Computer Laboratory. You should read it. As for the headline, zombies eat brains. There’s plenty of ’em [edited to add: brains, that is!!] in close proximity in Ross Anderson’s group. ’nuff said.

 

Emergent Intelligence

John Robb has a fascinating post on how networked organizations learn and improve their orientation as they engage with their worlds. In “Emergent Intelligence,” Robb focuses on the Iraqi insurgency, but draws important and general lessons. He says there are five factors needed for emergent intelligence: A critical mass of participation. I’d suggest that a […]

 

The 4th Amendment is Nice to Have

Cities can require stores to send customers’ identification to an electronic database for police to monitor, judges in two [Canadian] provinces have ruled this week. Cash Converters Canada Inc. and British Columbia’s largest pawn shop have each failed to persuade judges that a new generation of city bylaws is trampling customers’ legal rights. From “Courts […]

 
 

Free advice for merchants accepting payment cards

3. Protect Stored Data 3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (not […]

 

Here's a name: Wal-Mart

Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds. In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced […]

 

The Wallet Game

At lunch after Shmoocon, Nick Mathewson said he’d like to pay something between zero and the amount of money in his wallet. I think this suggests a fascinating game, which is that Alice asks Bob for some amount of money. If Bob has that much money in his wallet, he pays. Otherwise, Alice pays him […]

 

SarBox and Breaches

Earlier today Chris wrote (“Naming names isn’t always bad“): A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability. Bugger efficient markets! […]

 

Crispier Breach Disclosure (Cooks Illustrated, unknown # CCs)

A good breach disclosure fills you up with what happened, how, and what the company is doing for you. But too often, such notices are soggy and imprecise. Want more precision in the recipe? Beefier response? Cooks Illustrated set out to see what could be done, in “What Happened To Your Website.” Unfortunately, the disclosure […]

 

Naming names isn't always bad

In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this […]

 

Hasta La Vista Secure Flight

As mentioned on Freedom To Tinker and by Lauren Gelman, at the Center for Internet and Security, the TSA has mothballed it’s plans to deploy Secure Flight. Though the TSA will surely come up with something else, this is definitely a step in the right direction.

 

On Treatment of Prisoners and the Face of Evil

Establishing villainy is hard work. Too little, and your villains seem pathetic. Too much, and they’re over the top. Even drawing deeply on Joseph Campbell and with the music of John Williams, Lucas still needs actions to show that Darth Vader is the embodiment of evil. What does he choose? The first time we see […]

 

Selling Your Phone Records

Buried in your wireline and wireless telephone subscriber agreement is a notice concerning “customer proprietary network information” (CPNI). CPNI is your calling records. CPNI shows the phone numbers you called and received and for how long you talked. Privacy Rights Clearing House has a guide to “opting out of CPNI sharing.” This is great, because […]

 
 
 

Ka-Ping Yee on Phishing

In “How to Manage Passwords and Prevent Phishing,” Ping writes: So, right up front, here is the key property of this proposal: using it is more convenient than not using it. This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each […]

 

Brigham and Women's Hospital, 60 Medical Records, Fax Errors

For the past six months, Brigham and Women’s Hospital in Boston has been accidentally faxing the confidential medical records of women who’d recently given birth to a Boston investment bank, regardless of the bank’s repeated attempts to stop them, the Boston Herald reports. (via CSO Online.) (and) The records, called inpatient admission sheets, contain a […]

 

City of Washington DC, 190,000 SSNs, Willful Ignorance of Federal Law

Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver’s licenses, yet the District Department of Motor Vehicles continues […]

 

Blue Cross of North Carolina, 629 SSNs, "Human Error"

A “human error” at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. (“Computerworld“)

 

That's gotta sting

This administration reacts to anyone who questions this illegal program by saying that those of us who demand the truth and stand up for our rights and freedoms somehow has a pre-9/11 world view. In fact, the President has a pre-1776 world view. Our government has three branches, not one. And no one, not even […]

 

Is That Legal?

In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks: It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether […]

 

Nations Regions Bank, 100,000 credit cards, breach at unnamed(!) processor

From Indychannel.com: Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states — including Indiana — saying a separate company put their credit information at risk. Regions said the security breach involves a company that processes credit and debit cards nationwide. The bank, which says it was not responsible for […]

 

It Depends What The Meaning of "Credit Report" Is

Bob Sullivan has a must-read article “Her ATM card, but her impostor’s picture” about a woman whose SSN is being used by someone else: For years, Margaret Harrison believed she had an impostor. There were signs her Social Security number was living a double life. Four years ago, an unemployment office in West Virginia almost […]

 

Tools and Secure Code

Mike Howard (and company) have a great post about why “Code Scanning Tools Do Not Make Software Secure:” Such tools, often called static analysis tools, such as the tools we have included in Visual Studio 2005, are very useful, but they are no replacement for human intellect. If a developer does not know how to […]

 

New OpenSSH, with nifty feature

OpenSSH 4.3 is out. It has one new feature: Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or […]

 

Disclosure Laws, Redux

In responding to Lyal Collins’ comment on my “Disclosure Laws” post, I went and read the Rhode Island Identity Theft Protection act of 2005 (H6191). A couple of things occured to me. First, the National Conference of State Legislatures has a great list of Security Breach Legislation. Second, and perhaps more important, I don’t see […]

 

Disclosure Laws

In an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes: The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit […]

 

Responding to Terror

Once I was loose on the streets of the city, I continued to be impressed with what I saw. Spain is definitely no stranger to terrorism. They suffered the Madrid bombings just over 18 months ago and have been living with the current form of the ongoing sometimes-violent Basque Separatist movement since 1968. Somehow, though, […]

 

An unethical strategy?

Voting is a means of aggregating individual preferences in order to obtain a collective choice from a set of potential outcomes. Arrow notwithstanding, various voting schemes are often used for very important decisions. Voting is also used to select the winner of the Guy Toph Award, in Hillsborough County, Florida. In this case, the voters […]

 

Sports Authority in another Point-of-Sale data retention SNAFU?

I posted this to the Dataloss list earlier today. Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December. With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that […]

 

The Art of Shmoozing

Guy Kawasaki has a great post up on “The Art of Schmoozing.” It’s full of great advice. So read it, and let me know, what can we do to make this blog more useful to you?

 

Swire on Disclosure, Redux

Following on Chris’s post on disclosure, I’ve been meaning to mention Peter Swire’s “A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies:” A previous article proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than […]

 

The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across. In it, Mr. Rianda, esq., discusses his view of why the breaches we are all […]

 

Without Surveillance, We'd Have Anarchy In The Streets

The New York Times reports that “Police Officers Sue Over Police Surveillance of Their Protests.” Previously in the New York Police Department department, we offered a look back at the “The New York City Police Riots,” which, if you think about it, indicates that New York City Police, unlike most of the unarmed demonstrators in […]

 

Redaction Is Harder Than Public Speaking

Did you ever have one of those days where you had a great, totally unfair pot shot to sling at Microsoft, and events just overtake your plans? It started out when I watched the videos of “Blue Hat 2005 – Security Researchers come to MS, Part I.” Now, I have some insight into the training […]

 

Dataloss Mail List

In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a […]

 

University of Colorado at Colorado Springs, 2500 employees, SSNs, "virus"

Looks like a worm hit a personnel department PC. From the Colorado Springs Gazette: Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus. Names, Social Security numbers, birth dates and addresses […]

 

Breach disclosure insurance

A common argument used against state-level breach notification laws, and in favor of federal legislation overriding state laws, is that existence of these numerous state laws with their differing requirements and conditions raises the cost of compliance unacceptably. Just to be prepared to comply with potentially fifty distinct notification regimes, a firm would need to […]

 

Somebody's Watching Me

Don’t miss the awesome video of Somebody’s Watching Me from Progress Now Action. (Dear Sama: Thanks!)